Whenever a module uses the miscfiles_read_generic_certs() interface
to read system-wide SSL certificates, it should also be allowed to
read user certificates by using the new userdom_read_user_certs()
interface.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/apache.te | 3 +++
policy/modules/contrib/automount.te | 1 +
policy/modules/contrib/avahi.te | 1 +
policy/modules/contrib/bind.te | 1 +
policy/modules/contrib/cyrus.te | 1 +
policy/modules/contrib/dbus.te | 1 +
policy/modules/contrib/dovecot.te | 1 +
policy/modules/contrib/exim.te | 1 +
policy/modules/contrib/fetchmail.te | 1 +
policy/modules/contrib/geoclue.te | 2 ++
policy/modules/contrib/irc.te | 1 +
policy/modules/contrib/kerberos.te | 1 +
policy/modules/contrib/ldap.te | 1 +
policy/modules/contrib/mozilla.te | 2 ++
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/portage.te | 1 +
policy/modules/contrib/postfix.te | 1 +
policy/modules/contrib/puppet.te | 4 ++++
policy/modules/contrib/radius.te | 1 +
policy/modules/contrib/rhsmcertd.te | 2 ++
policy/modules/contrib/rpc.te | 2 ++
policy/modules/contrib/samba.te | 1 +
policy/modules/contrib/sasl.te | 1 +
policy/modules/contrib/sendmail.te | 1 +
policy/modules/contrib/squid.te | 1 +
policy/modules/contrib/sssd.te | 2 ++
policy/modules/contrib/stunnel.te | 1 +
policy/modules/contrib/syncthing.te | 1 +
policy/modules/contrib/virt.te | 1 +
policy/modules/contrib/w3c.te | 2 ++
policy/modules/services/ssh.if | 2 ++
policy/modules/system/authlogin.if | 2 ++
policy/modules/system/authlogin.te | 2 ++
policy/modules/system/init.te | 1 +
policy/modules/system/udev.te | 1 +
35 files changed, 49 insertions(+), 1 deletion(-)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/apache.te refpolicy-git-07122016/policy/modules/contrib/apache.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/apache.te 2016-10-29 16:29:19.662325285 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/apache.te 2016-12-07 22:32:33.448835795 +0100
@@ -525,6 +525,7 @@ miscfiles_read_tetex_data(httpd_t)
seutil_dontaudit_search_config(httpd_t)
+userdom_read_user_certs(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
ifdef(`TODO',`
@@ -1398,6 +1399,8 @@ auth_use_nsswitch(httpd_passwd_t)
miscfiles_read_generic_certs(httpd_passwd_t)
miscfiles_read_localization(httpd_passwd_t)
+userdom_read_user_certs(httpd_passwd_t)
+
########################################
#
# GPG local policy
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/automount.te refpolicy-git-07122016/policy/modules/contrib/automount.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/automount.te 2016-10-29 16:29:19.663325313 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/automount.te 2016-12-07 22:31:19.088598917 +0100
@@ -145,6 +145,7 @@ mount_domtrans(automount_t)
mount_signal(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
+userdom_read_user_certs(automount_t)
optional_policy(`
fstools_domtrans(automount_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/avahi.te refpolicy-git-07122016/policy/modules/contrib/avahi.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/avahi.te 2016-10-29 16:29:19.663325313 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/avahi.te 2016-12-07 22:29:52.589160116 +0100
@@ -96,6 +96,7 @@ sysnet_etc_filetrans_config(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
+userdom_read_user_certs(avahi_t)
optional_policy(`
dbus_system_domain(avahi_t, avahi_exec_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/bind.te refpolicy-git-07122016/policy/modules/contrib/bind.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/bind.te 2016-10-29 16:29:19.663325313 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/bind.te 2016-12-07 22:34:05.532367477 +0100
@@ -165,6 +165,7 @@ miscfiles_read_localization(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
+userdom_read_user_certs(named_t)
tunable_policy(`named_tcp_bind_http_port',`
corenet_sendrecv_http_server_packets(named_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/cyrus.te refpolicy-git-07122016/policy/modules/contrib/cyrus.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/cyrus.te 2016-08-14 21:28:11.475519313 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/cyrus.te 2016-12-07 22:34:28.936756777 +0100
@@ -112,6 +112,7 @@ miscfiles_read_generic_certs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
userdom_dontaudit_search_user_home_dirs(cyrus_t)
+userdom_read_user_certs(cyrus_t)
mta_manage_spool(cyrus_t)
mta_send_mail(cyrus_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te refpolicy-git-07122016/policy/modules/contrib/dbus.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/dbus.te 2016-12-07 22:33:02.912325877 +0100
@@ -142,6 +142,7 @@ seutil_read_default_contexts(system_dbus
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+userdom_read_user_certs(system_dbusd_t)
optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dovecot.te refpolicy-git-07122016/policy/modules/contrib/dovecot.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/dovecot.te 2016-08-14 21:28:11.483519435 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/dovecot.te 2016-12-07 22:37:48.690079398 +0100
@@ -172,6 +172,7 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_read_user_certs(dovecot_t)
userdom_use_user_terminals(dovecot_t)
tunable_policy(`use_nfs_home_dirs',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/exim.te refpolicy-git-07122016/policy/modules/contrib/exim.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/exim.te 2016-08-14 21:28:11.486519481 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/exim.te 2016-12-07 22:27:50.365127088 +0100
@@ -158,6 +158,7 @@ miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
+userdom_read_user_certs(exim_t)
mta_read_aliases(exim_t)
mta_read_config(exim_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/fetchmail.te refpolicy-git-07122016/policy/modules/contrib/fetchmail.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/fetchmail.te 2016-08-14 21:28:11.487519497 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/fetchmail.te 2016-12-07 22:33:46.074043815 +0100
@@ -92,6 +92,7 @@ miscfiles_read_localization(fetchmail_t)
miscfiles_read_generic_certs(fetchmail_t)
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+userdom_read_user_certs(fetchmail_t)
userdom_search_user_home_dirs(fetchmail_t)
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/geoclue.te refpolicy-git-07122016/policy/modules/contrib/geoclue.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/geoclue.te 2016-10-29 16:29:19.665325367 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/geoclue.te 2016-12-07 22:33:23.292664878 +0100
@@ -33,6 +33,8 @@ auth_use_nsswitch(geoclue_t)
miscfiles_read_generic_certs(geoclue_t)
miscfiles_read_localization(geoclue_t)
+userdom_read_user_certs(geoclue_t)
+
optional_policy(`
avahi_dbus_chat(geoclue_t)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/irc.te refpolicy-git-07122016/policy/modules/contrib/irc.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/irc.te 2016-08-14 21:28:11.502519727 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/irc.te 2016-12-07 22:30:49.819112058 +0100
@@ -116,6 +116,7 @@ userdom_use_user_terminals(irc_t)
userdom_manage_user_home_content_dirs(irc_t)
userdom_manage_user_home_content_files(irc_t)
+userdom_read_user_certs(irc_t)
userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
tunable_policy(`irc_use_any_tcp_ports',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/kerberos.te refpolicy-git-07122016/policy/modules/contrib/kerberos.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/kerberos.te 2016-08-14 21:28:11.506519789 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/kerberos.te 2016-12-07 22:44:02.192292092 +0100
@@ -255,6 +255,7 @@ sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+userdom_read_user_certs(krb5kdc_t)
optional_policy(`
ldap_stream_connect(krb5kdc_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/ldap.te refpolicy-git-07122016/policy/modules/contrib/ldap.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/ldap.te 2016-10-29 16:29:19.666325394 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/ldap.te 2016-12-07 22:38:33.985832831 +0100
@@ -130,6 +130,7 @@ miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
+userdom_read_user_certs(slapd_t)
optional_policy(`
kerberos_manage_host_rcache(slapd_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te refpolicy-git-07122016/policy/modules/contrib/mozilla.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te 2016-12-07 13:39:50.051911134 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/mozilla.te 2016-12-07 22:42:55.424181497 +0100
@@ -496,6 +496,8 @@ userdom_user_home_dir_filetrans_user_hom
userdom_write_user_tmp_sockets(mozilla_plugin_t)
+userdom_read_user_certs(mozilla_plugin_t)
+
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
ifndef(`enable_mls',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te refpolicy-git-07122016/policy/modules/contrib/networkmanager.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te 2016-10-29 16:29:19.759327926 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te 2016-12-07 22:28:42.917001217 +0100
@@ -176,7 +176,7 @@ sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)
# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+userdom_read_user_certs(NetworkManager_t)
userdom_write_user_tmp_sockets(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/portage.te refpolicy-git-07122016/policy/modules/contrib/portage.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/portage.te 2016-08-14 21:28:11.540520311 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/portage.te 2016-12-07 22:40:40.877943507 +0100
@@ -308,6 +308,7 @@ miscfiles_read_localization(portage_fetc
userdom_use_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+userdom_read_user_certs(portage_fetch_t)
rsync_exec(portage_fetch_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/postfix.te refpolicy-git-07122016/policy/modules/contrib/postfix.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/postfix.te 2016-08-14 21:28:11.542520342 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/postfix.te 2016-12-07 22:38:10.593443730 +0100
@@ -161,6 +161,7 @@ miscfiles_read_localization(postfix_doma
miscfiles_read_generic_certs(postfix_domain)
userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
+userdom_read_user_certs(postfix_domain)
optional_policy(`
udev_read_db(postfix_domain)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/puppet.te refpolicy-git-07122016/policy/modules/contrib/puppet.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/puppet.te 2016-10-29 16:29:19.760327953 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/puppet.te 2016-12-07 22:35:22.343645122 +0100
@@ -246,6 +246,8 @@ miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
+userdom_read_user_certs(puppetca_t)
+
optional_policy(`
hostname_exec(puppetca_t)
')
@@ -324,6 +326,8 @@ seutil_read_file_contexts(puppetmaster_t
sysnet_run_ifconfig(puppetmaster_t, system_r)
+userdom_read_user_certs(puppetmaster_t)
+
optional_policy(`
hostname_exec(puppetmaster_t)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/radius.te refpolicy-git-07122016/policy/modules/contrib/radius.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/radius.te 2016-08-14 21:28:11.552520496 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/radius.te 2016-12-07 22:38:52.748144915 +0100
@@ -116,6 +116,7 @@ sysnet_use_ldap(radiusd_t)
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
userdom_dontaudit_search_user_home_dirs(radiusd_t)
+userdom_read_user_certs(radiusd_t)
optional_policy(`
cron_system_entry(radiusd_t, radiusd_exec_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rhsmcertd.te refpolicy-git-07122016/policy/modules/contrib/rhsmcertd.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/rhsmcertd.te 2016-08-14 21:28:11.558520588 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/rhsmcertd.te 2016-12-07 22:36:51.336125394 +0100
@@ -69,6 +69,8 @@ miscfiles_read_generic_certs(rhsmcertd_t
sysnet_dns_name_resolve(rhsmcertd_t)
+userdom_read_user_certs(rhsmcertd_t)
+
optional_policy(`
rpm_read_db(rhsmcertd_t)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rpc.te refpolicy-git-07122016/policy/modules/contrib/rpc.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/rpc.te 2016-10-29 16:29:19.760327953 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/rpc.te 2016-12-07 22:36:03.763334093 +0100
@@ -183,6 +183,7 @@ miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
+userdom_read_user_certs(rpcd_t)
userdom_signal_all_users(rpcd_t)
ifdef(`distro_debian',`
@@ -315,6 +316,7 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
+userdom_read_user_certs(gssd_t)
userdom_signal_all_users(gssd_t)
tunable_policy(`allow_gssd_read_tmp',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/samba.te refpolicy-git-07122016/policy/modules/contrib/samba.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/samba.te 2016-10-29 16:29:19.760327953 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/samba.te 2016-12-07 22:26:58.344261788 +0100
@@ -938,6 +938,7 @@ userdom_manage_user_home_content_files(w
userdom_manage_user_home_content_symlinks(winbind_t)
userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
+userdom_read_user_certs(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sasl.te refpolicy-git-07122016/policy/modules/contrib/sasl.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/sasl.te 2016-08-14 21:28:11.566520711 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/sasl.te 2016-12-07 22:39:43.641991464 +0100
@@ -89,6 +89,7 @@ seutil_dontaudit_read_config(saslauthd_t
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+userdom_read_user_certs(saslauthd_t)
auth_can_read_shadow_passwords(saslauthd_t)
tunable_policy(`allow_saslauthd_read_shadow',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sendmail.te refpolicy-git-07122016/policy/modules/contrib/sendmail.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/sendmail.te 2016-08-14 21:28:11.568520741 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/sendmail.te 2016-12-07 22:43:38.997906286 +0100
@@ -115,6 +115,7 @@ miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_read_user_certs(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t, file, "aliases")
mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db")
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/squid.te refpolicy-git-07122016/policy/modules/contrib/squid.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/squid.te 2016-08-14 21:28:11.576520864 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/squid.te 2016-12-07 22:37:12.074470348 +0100
@@ -180,6 +180,7 @@ miscfiles_read_localization(squid_t)
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
+userdom_read_user_certs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sssd.te refpolicy-git-07122016/policy/modules/contrib/sssd.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/sssd.te 2016-08-14 21:28:11.577520880 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/sssd.te 2016-12-07 22:30:15.278537523 +0100
@@ -117,6 +117,8 @@ miscfiles_read_localization(sssd_t)
sysnet_dns_name_resolve(sssd_t)
sysnet_use_ldap(sssd_t)
+userdom_read_user_certs(sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/stunnel.te refpolicy-git-07122016/policy/modules/contrib/stunnel.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/stunnel.te 2016-08-14 21:28:11.577520880 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/stunnel.te 2016-12-07 22:36:21.764633513 +0100
@@ -79,6 +79,7 @@ miscfiles_read_localization(stunnel_t)
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
userdom_dontaudit_search_user_home_dirs(stunnel_t)
+userdom_read_user_certs(stunnel_t)
optional_policy(`
daemontools_service_domain(stunnel_t, stunnel_exec_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/syncthing.te refpolicy-git-07122016/policy/modules/contrib/syncthing.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/syncthing.te 2016-10-29 16:29:19.761327980 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/syncthing.te 2016-12-07 22:40:18.758575580 +0100
@@ -61,6 +61,7 @@ miscfiles_read_localization(syncthing_t)
userdom_manage_user_home_content_files(syncthing_t)
userdom_manage_user_home_content_dirs(syncthing_t)
userdom_manage_user_home_content_symlinks(syncthing_t)
+userdom_read_user_certs(syncthing_t)
userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
userdom_use_user_terminals(syncthing_t)
# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/virt.te refpolicy-git-07122016/policy/modules/contrib/virt.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/virt.te 2016-10-29 16:29:19.762328008 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/virt.te 2016-12-07 22:31:43.040997330 +0100
@@ -668,6 +668,7 @@ sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
userdom_read_all_users_state(virtd_t)
+userdom_read_user_certs(virtd_t)
ifdef(`hide_broken_symptoms',`
dontaudit virtd_t self:capability { sys_module sys_ptrace };
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/w3c.te refpolicy-git-07122016/policy/modules/contrib/w3c.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/w3c.te 2016-08-14 21:28:11.595521156 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/w3c.te 2016-12-07 22:29:10.371457882 +0100
@@ -32,3 +32,5 @@ corenet_tcp_sendrecv_http_cache_port(htt
miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+userdom_read_user_certs(httpd_w3c_validator_script_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/services/ssh.if refpolicy-git-07122016/policy/modules/services/ssh.if
--- refpolicy-git-07122016-orig/policy/modules/services/ssh.if 2016-08-14 21:24:48.949382056 +0200
+++ refpolicy-git-07122016/policy/modules/services/ssh.if 2016-12-07 22:49:25.595671461 +0100
@@ -394,6 +394,8 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
+ userdom_read_user_certs($1_ssh_agent_t)
+
# Write to the user domain tty.
userdom_use_user_terminals($1_ssh_agent_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/system/authlogin.if refpolicy-git-07122016/policy/modules/system/authlogin.if
--- refpolicy-git-07122016-orig/policy/modules/system/authlogin.if 2016-08-14 21:24:48.953382119 +0200
+++ refpolicy-git-07122016/policy/modules/system/authlogin.if 2016-12-07 22:46:36.779863443 +0100
@@ -390,6 +390,8 @@ interface(`auth_domtrans_chk_passwd',`
miscfiles_read_generic_certs($1)
+ userdom_read_user_certs($1)
+
optional_policy(`
kerberos_read_keytab($1)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/system/authlogin.te refpolicy-git-07122016/policy/modules/system/authlogin.te
--- refpolicy-git-07122016-orig/policy/modules/system/authlogin.te 2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-07122016/policy/modules/system/authlogin.te 2016-12-07 22:45:51.162104654 +0100
@@ -296,6 +296,7 @@ miscfiles_read_generic_certs(pam_console
seutil_read_file_contexts(pam_console_t)
userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
+userdom_read_user_certs(pam_console_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -421,6 +422,7 @@ sysnet_dns_name_resolve(nsswitch_domain)
tunable_policy(`authlogin_nsswitch_use_ldap',`
miscfiles_read_generic_certs(nsswitch_domain)
sysnet_use_ldap(nsswitch_domain)
+ userdom_read_user_certs(nsswitch_domain)
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/system/init.te refpolicy-git-07122016/policy/modules/system/init.te
--- refpolicy-git-07122016-orig/policy/modules/system/init.te 2016-10-29 16:29:13.455156238 +0200
+++ refpolicy-git-07122016/policy/modules/system/init.te 2016-12-07 22:44:43.652981734 +0100
@@ -561,6 +561,7 @@ modutils_domtrans_insmod(initrc_t)
seutil_read_config(initrc_t)
+userdom_read_user_certs(initrc_t)
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
diff -pruN refpolicy-git-07122016-orig/policy/modules/system/udev.te refpolicy-git-07122016/policy/modules/system/udev.te
--- refpolicy-git-07122016-orig/policy/modules/system/udev.te 2016-10-29 16:29:13.457156292 +0200
+++ refpolicy-git-07122016/policy/modules/system/udev.te 2016-12-07 22:48:33.332802140 +0100
@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
kernel_read_vm_sysctls(udev_t)
corenet_udp_bind_generic_node(udev_t)
miscfiles_read_generic_certs(udev_t)
+ userdom_read_user_certs(udev_t)
avahi_create_pid_dirs(udev_t)
avahi_initrc_domtrans(udev_t)
avahi_manage_pid_files(udev_t)
On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote:
> Whenever a module uses the miscfiles_read_generic_certs() interface
> to read system-wide SSL certificates, it should also be allowed to
> read user certificates by using the new userdom_read_user_certs()
> interface.
I don't agree that a domain that has miscfiles_read_generic_certs()
should automatically be able to read user certs.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/apache.te | 3 +++
> policy/modules/contrib/automount.te | 1 +
> policy/modules/contrib/avahi.te | 1 +
> policy/modules/contrib/bind.te | 1 +
> policy/modules/contrib/cyrus.te | 1 +
> policy/modules/contrib/dbus.te | 1 +
> policy/modules/contrib/dovecot.te | 1 +
> policy/modules/contrib/exim.te | 1 +
> policy/modules/contrib/fetchmail.te | 1 +
> policy/modules/contrib/geoclue.te | 2 ++
> policy/modules/contrib/irc.te | 1 +
> policy/modules/contrib/kerberos.te | 1 +
> policy/modules/contrib/ldap.te | 1 +
> policy/modules/contrib/mozilla.te | 2 ++
> policy/modules/contrib/networkmanager.te | 2 +-
> policy/modules/contrib/portage.te | 1 +
> policy/modules/contrib/postfix.te | 1 +
> policy/modules/contrib/puppet.te | 4 ++++
> policy/modules/contrib/radius.te | 1 +
> policy/modules/contrib/rhsmcertd.te | 2 ++
> policy/modules/contrib/rpc.te | 2 ++
> policy/modules/contrib/samba.te | 1 +
> policy/modules/contrib/sasl.te | 1 +
> policy/modules/contrib/sendmail.te | 1 +
> policy/modules/contrib/squid.te | 1 +
> policy/modules/contrib/sssd.te | 2 ++
> policy/modules/contrib/stunnel.te | 1 +
> policy/modules/contrib/syncthing.te | 1 +
> policy/modules/contrib/virt.te | 1 +
> policy/modules/contrib/w3c.te | 2 ++
> policy/modules/services/ssh.if | 2 ++
> policy/modules/system/authlogin.if | 2 ++
> policy/modules/system/authlogin.te | 2 ++
> policy/modules/system/init.te | 1 +
> policy/modules/system/udev.te | 1 +
> 35 files changed, 49 insertions(+), 1 deletion(-)
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/apache.te refpolicy-git-07122016/policy/modules/contrib/apache.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/apache.te 2016-10-29 16:29:19.662325285 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/apache.te 2016-12-07 22:32:33.448835795 +0100
> @@ -525,6 +525,7 @@ miscfiles_read_tetex_data(httpd_t)
>
> seutil_dontaudit_search_config(httpd_t)
>
> +userdom_read_user_certs(httpd_t)
> userdom_use_unpriv_users_fds(httpd_t)
>
> ifdef(`TODO',`
> @@ -1398,6 +1399,8 @@ auth_use_nsswitch(httpd_passwd_t)
> miscfiles_read_generic_certs(httpd_passwd_t)
> miscfiles_read_localization(httpd_passwd_t)
>
> +userdom_read_user_certs(httpd_passwd_t)
> +
> ########################################
> #
> # GPG local policy
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/automount.te refpolicy-git-07122016/policy/modules/contrib/automount.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/automount.te 2016-10-29 16:29:19.663325313 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/automount.te 2016-12-07 22:31:19.088598917 +0100
> @@ -145,6 +145,7 @@ mount_domtrans(automount_t)
> mount_signal(automount_t)
>
> userdom_dontaudit_use_unpriv_user_fds(automount_t)
> +userdom_read_user_certs(automount_t)
>
> optional_policy(`
> fstools_domtrans(automount_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/avahi.te refpolicy-git-07122016/policy/modules/contrib/avahi.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/avahi.te 2016-10-29 16:29:19.663325313 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/avahi.te 2016-12-07 22:29:52.589160116 +0100
> @@ -96,6 +96,7 @@ sysnet_etc_filetrans_config(avahi_t)
>
> userdom_dontaudit_use_unpriv_user_fds(avahi_t)
> userdom_dontaudit_search_user_home_dirs(avahi_t)
> +userdom_read_user_certs(avahi_t)
>
> optional_policy(`
> dbus_system_domain(avahi_t, avahi_exec_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/bind.te refpolicy-git-07122016/policy/modules/contrib/bind.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/bind.te 2016-10-29 16:29:19.663325313 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/bind.te 2016-12-07 22:34:05.532367477 +0100
> @@ -165,6 +165,7 @@ miscfiles_read_localization(named_t)
>
> userdom_dontaudit_use_unpriv_user_fds(named_t)
> userdom_dontaudit_search_user_home_dirs(named_t)
> +userdom_read_user_certs(named_t)
>
> tunable_policy(`named_tcp_bind_http_port',`
> corenet_sendrecv_http_server_packets(named_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/cyrus.te refpolicy-git-07122016/policy/modules/contrib/cyrus.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/cyrus.te 2016-08-14 21:28:11.475519313 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/cyrus.te 2016-12-07 22:34:28.936756777 +0100
> @@ -112,6 +112,7 @@ miscfiles_read_generic_certs(cyrus_t)
>
> userdom_use_unpriv_users_fds(cyrus_t)
> userdom_dontaudit_search_user_home_dirs(cyrus_t)
> +userdom_read_user_certs(cyrus_t)
>
> mta_manage_spool(cyrus_t)
> mta_send_mail(cyrus_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te refpolicy-git-07122016/policy/modules/contrib/dbus.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/dbus.te 2016-12-07 22:33:02.912325877 +0100
> @@ -142,6 +142,7 @@ seutil_read_default_contexts(system_dbus
>
> userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
> +userdom_read_user_certs(system_dbusd_t)
>
> optional_policy(`
> bluetooth_stream_connect(system_dbusd_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dovecot.te refpolicy-git-07122016/policy/modules/contrib/dovecot.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/dovecot.te 2016-08-14 21:28:11.483519435 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/dovecot.te 2016-12-07 22:37:48.690079398 +0100
> @@ -172,6 +172,7 @@ auth_use_nsswitch(dovecot_t)
> miscfiles_read_generic_certs(dovecot_t)
>
> userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
> +userdom_read_user_certs(dovecot_t)
> userdom_use_user_terminals(dovecot_t)
>
> tunable_policy(`use_nfs_home_dirs',`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/exim.te refpolicy-git-07122016/policy/modules/contrib/exim.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/exim.te 2016-08-14 21:28:11.486519481 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/exim.te 2016-12-07 22:27:50.365127088 +0100
> @@ -158,6 +158,7 @@ miscfiles_read_localization(exim_t)
> miscfiles_read_generic_certs(exim_t)
>
> userdom_dontaudit_search_user_home_dirs(exim_t)
> +userdom_read_user_certs(exim_t)
>
> mta_read_aliases(exim_t)
> mta_read_config(exim_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/fetchmail.te refpolicy-git-07122016/policy/modules/contrib/fetchmail.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/fetchmail.te 2016-08-14 21:28:11.487519497 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/fetchmail.te 2016-12-07 22:33:46.074043815 +0100
> @@ -92,6 +92,7 @@ miscfiles_read_localization(fetchmail_t)
> miscfiles_read_generic_certs(fetchmail_t)
>
> userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
> +userdom_read_user_certs(fetchmail_t)
> userdom_search_user_home_dirs(fetchmail_t)
>
> optional_policy(`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/geoclue.te refpolicy-git-07122016/policy/modules/contrib/geoclue.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/geoclue.te 2016-10-29 16:29:19.665325367 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/geoclue.te 2016-12-07 22:33:23.292664878 +0100
> @@ -33,6 +33,8 @@ auth_use_nsswitch(geoclue_t)
> miscfiles_read_generic_certs(geoclue_t)
> miscfiles_read_localization(geoclue_t)
>
> +userdom_read_user_certs(geoclue_t)
> +
> optional_policy(`
> avahi_dbus_chat(geoclue_t)
> ')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/irc.te refpolicy-git-07122016/policy/modules/contrib/irc.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/irc.te 2016-08-14 21:28:11.502519727 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/irc.te 2016-12-07 22:30:49.819112058 +0100
> @@ -116,6 +116,7 @@ userdom_use_user_terminals(irc_t)
>
> userdom_manage_user_home_content_dirs(irc_t)
> userdom_manage_user_home_content_files(irc_t)
> +userdom_read_user_certs(irc_t)
> userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
>
> tunable_policy(`irc_use_any_tcp_ports',`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/kerberos.te refpolicy-git-07122016/policy/modules/contrib/kerberos.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/kerberos.te 2016-08-14 21:28:11.506519789 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/kerberos.te 2016-12-07 22:44:02.192292092 +0100
> @@ -255,6 +255,7 @@ sysnet_use_ldap(krb5kdc_t)
>
> userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
> userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
> +userdom_read_user_certs(krb5kdc_t)
>
> optional_policy(`
> ldap_stream_connect(krb5kdc_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/ldap.te refpolicy-git-07122016/policy/modules/contrib/ldap.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/ldap.te 2016-10-29 16:29:19.666325394 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/ldap.te 2016-12-07 22:38:33.985832831 +0100
> @@ -130,6 +130,7 @@ miscfiles_read_localization(slapd_t)
>
> userdom_dontaudit_use_unpriv_user_fds(slapd_t)
> userdom_dontaudit_search_user_home_dirs(slapd_t)
> +userdom_read_user_certs(slapd_t)
>
> optional_policy(`
> kerberos_manage_host_rcache(slapd_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te refpolicy-git-07122016/policy/modules/contrib/mozilla.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te 2016-12-07 13:39:50.051911134 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/mozilla.te 2016-12-07 22:42:55.424181497 +0100
> @@ -496,6 +496,8 @@ userdom_user_home_dir_filetrans_user_hom
>
> userdom_write_user_tmp_sockets(mozilla_plugin_t)
>
> +userdom_read_user_certs(mozilla_plugin_t)
> +
> userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
>
> ifndef(`enable_mls',`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te refpolicy-git-07122016/policy/modules/contrib/networkmanager.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te 2016-10-29 16:29:19.759327926 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te 2016-12-07 22:28:42.917001217 +0100
> @@ -176,7 +176,7 @@ sysnet_manage_config(NetworkManager_t)
> sysnet_etc_filetrans_config(NetworkManager_t)
>
> # certificates in user home directories (cert_home_t in ~/\.pki)
> -userdom_read_user_home_content_files(NetworkManager_t)
> +userdom_read_user_certs(NetworkManager_t)
>
> userdom_write_user_tmp_sockets(NetworkManager_t)
> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/portage.te refpolicy-git-07122016/policy/modules/contrib/portage.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/portage.te 2016-08-14 21:28:11.540520311 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/portage.te 2016-12-07 22:40:40.877943507 +0100
> @@ -308,6 +308,7 @@ miscfiles_read_localization(portage_fetc
>
> userdom_use_user_terminals(portage_fetch_t)
> userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
> +userdom_read_user_certs(portage_fetch_t)
>
> rsync_exec(portage_fetch_t)
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/postfix.te refpolicy-git-07122016/policy/modules/contrib/postfix.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/postfix.te 2016-08-14 21:28:11.542520342 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/postfix.te 2016-12-07 22:38:10.593443730 +0100
> @@ -161,6 +161,7 @@ miscfiles_read_localization(postfix_doma
> miscfiles_read_generic_certs(postfix_domain)
>
> userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
> +userdom_read_user_certs(postfix_domain)
>
> optional_policy(`
> udev_read_db(postfix_domain)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/puppet.te refpolicy-git-07122016/policy/modules/contrib/puppet.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/puppet.te 2016-10-29 16:29:19.760327953 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/puppet.te 2016-12-07 22:35:22.343645122 +0100
> @@ -246,6 +246,8 @@ miscfiles_read_generic_certs(puppetca_t)
>
> seutil_read_file_contexts(puppetca_t)
>
> +userdom_read_user_certs(puppetca_t)
> +
> optional_policy(`
> hostname_exec(puppetca_t)
> ')
> @@ -324,6 +326,8 @@ seutil_read_file_contexts(puppetmaster_t
>
> sysnet_run_ifconfig(puppetmaster_t, system_r)
>
> +userdom_read_user_certs(puppetmaster_t)
> +
> optional_policy(`
> hostname_exec(puppetmaster_t)
> ')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/radius.te refpolicy-git-07122016/policy/modules/contrib/radius.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/radius.te 2016-08-14 21:28:11.552520496 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/radius.te 2016-12-07 22:38:52.748144915 +0100
> @@ -116,6 +116,7 @@ sysnet_use_ldap(radiusd_t)
>
> userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
> userdom_dontaudit_search_user_home_dirs(radiusd_t)
> +userdom_read_user_certs(radiusd_t)
>
> optional_policy(`
> cron_system_entry(radiusd_t, radiusd_exec_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rhsmcertd.te refpolicy-git-07122016/policy/modules/contrib/rhsmcertd.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/rhsmcertd.te 2016-08-14 21:28:11.558520588 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/rhsmcertd.te 2016-12-07 22:36:51.336125394 +0100
> @@ -69,6 +69,8 @@ miscfiles_read_generic_certs(rhsmcertd_t
>
> sysnet_dns_name_resolve(rhsmcertd_t)
>
> +userdom_read_user_certs(rhsmcertd_t)
> +
> optional_policy(`
> rpm_read_db(rhsmcertd_t)
> ')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rpc.te refpolicy-git-07122016/policy/modules/contrib/rpc.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/rpc.te 2016-10-29 16:29:19.760327953 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/rpc.te 2016-12-07 22:36:03.763334093 +0100
> @@ -183,6 +183,7 @@ miscfiles_read_generic_certs(rpcd_t)
>
> seutil_dontaudit_search_config(rpcd_t)
>
> +userdom_read_user_certs(rpcd_t)
> userdom_signal_all_users(rpcd_t)
>
> ifdef(`distro_debian',`
> @@ -315,6 +316,7 @@ auth_manage_cache(gssd_t)
>
> miscfiles_read_generic_certs(gssd_t)
>
> +userdom_read_user_certs(gssd_t)
> userdom_signal_all_users(gssd_t)
>
> tunable_policy(`allow_gssd_read_tmp',`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/samba.te refpolicy-git-07122016/policy/modules/contrib/samba.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/samba.te 2016-10-29 16:29:19.760327953 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/samba.te 2016-12-07 22:26:58.344261788 +0100
> @@ -938,6 +938,7 @@ userdom_manage_user_home_content_files(w
> userdom_manage_user_home_content_symlinks(winbind_t)
> userdom_manage_user_home_content_pipes(winbind_t)
> userdom_manage_user_home_content_sockets(winbind_t)
> +userdom_read_user_certs(winbind_t)
> userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
>
> optional_policy(`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sasl.te refpolicy-git-07122016/policy/modules/contrib/sasl.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/sasl.te 2016-08-14 21:28:11.566520711 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/sasl.te 2016-12-07 22:39:43.641991464 +0100
> @@ -89,6 +89,7 @@ seutil_dontaudit_read_config(saslauthd_t
>
> userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
> userdom_dontaudit_search_user_home_dirs(saslauthd_t)
> +userdom_read_user_certs(saslauthd_t)
>
> auth_can_read_shadow_passwords(saslauthd_t)
> tunable_policy(`allow_saslauthd_read_shadow',`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sendmail.te refpolicy-git-07122016/policy/modules/contrib/sendmail.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/sendmail.te 2016-08-14 21:28:11.568520741 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/sendmail.te 2016-12-07 22:43:38.997906286 +0100
> @@ -115,6 +115,7 @@ miscfiles_read_generic_certs(sendmail_t)
> miscfiles_read_localization(sendmail_t)
>
> userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
> +userdom_read_user_certs(sendmail_t)
>
> mta_etc_filetrans_aliases(sendmail_t, file, "aliases")
> mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db")
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/squid.te refpolicy-git-07122016/policy/modules/contrib/squid.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/squid.te 2016-08-14 21:28:11.576520864 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/squid.te 2016-12-07 22:37:12.074470348 +0100
> @@ -180,6 +180,7 @@ miscfiles_read_localization(squid_t)
>
> userdom_use_unpriv_users_fds(squid_t)
> userdom_dontaudit_search_user_home_dirs(squid_t)
> +userdom_read_user_certs(squid_t)
>
> tunable_policy(`squid_connect_any',`
> corenet_tcp_connect_all_ports(squid_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sssd.te refpolicy-git-07122016/policy/modules/contrib/sssd.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/sssd.te 2016-08-14 21:28:11.577520880 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/sssd.te 2016-12-07 22:30:15.278537523 +0100
> @@ -117,6 +117,8 @@ miscfiles_read_localization(sssd_t)
> sysnet_dns_name_resolve(sssd_t)
> sysnet_use_ldap(sssd_t)
>
> +userdom_read_user_certs(sssd_t)
> +
> optional_policy(`
> dbus_system_bus_client(sssd_t)
> dbus_connect_system_bus(sssd_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/stunnel.te refpolicy-git-07122016/policy/modules/contrib/stunnel.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/stunnel.te 2016-08-14 21:28:11.577520880 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/stunnel.te 2016-12-07 22:36:21.764633513 +0100
> @@ -79,6 +79,7 @@ miscfiles_read_localization(stunnel_t)
>
> userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
> userdom_dontaudit_search_user_home_dirs(stunnel_t)
> +userdom_read_user_certs(stunnel_t)
>
> optional_policy(`
> daemontools_service_domain(stunnel_t, stunnel_exec_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/syncthing.te refpolicy-git-07122016/policy/modules/contrib/syncthing.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/syncthing.te 2016-10-29 16:29:19.761327980 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/syncthing.te 2016-12-07 22:40:18.758575580 +0100
> @@ -61,6 +61,7 @@ miscfiles_read_localization(syncthing_t)
> userdom_manage_user_home_content_files(syncthing_t)
> userdom_manage_user_home_content_dirs(syncthing_t)
> userdom_manage_user_home_content_symlinks(syncthing_t)
> +userdom_read_user_certs(syncthing_t)
> userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
> userdom_use_user_terminals(syncthing_t)
> # newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/virt.te refpolicy-git-07122016/policy/modules/contrib/virt.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/virt.te 2016-10-29 16:29:19.762328008 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/virt.te 2016-12-07 22:31:43.040997330 +0100
> @@ -668,6 +668,7 @@ sysnet_signal_ifconfig(virtd_t)
> sysnet_domtrans_ifconfig(virtd_t)
>
> userdom_read_all_users_state(virtd_t)
> +userdom_read_user_certs(virtd_t)
>
> ifdef(`hide_broken_symptoms',`
> dontaudit virtd_t self:capability { sys_module sys_ptrace };
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/w3c.te refpolicy-git-07122016/policy/modules/contrib/w3c.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/w3c.te 2016-08-14 21:28:11.595521156 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/w3c.te 2016-12-07 22:29:10.371457882 +0100
> @@ -32,3 +32,5 @@ corenet_tcp_sendrecv_http_cache_port(htt
> miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
>
> sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
> +
> +userdom_read_user_certs(httpd_w3c_validator_script_t)
> diff -pruN refpolicy-git-07122016-orig/policy/modules/services/ssh.if refpolicy-git-07122016/policy/modules/services/ssh.if
> --- refpolicy-git-07122016-orig/policy/modules/services/ssh.if 2016-08-14 21:24:48.949382056 +0200
> +++ refpolicy-git-07122016/policy/modules/services/ssh.if 2016-12-07 22:49:25.595671461 +0100
> @@ -394,6 +394,8 @@ template(`ssh_role_template',`
>
> seutil_dontaudit_read_config($1_ssh_agent_t)
>
> + userdom_read_user_certs($1_ssh_agent_t)
> +
> # Write to the user domain tty.
> userdom_use_user_terminals($1_ssh_agent_t)
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/system/authlogin.if refpolicy-git-07122016/policy/modules/system/authlogin.if
> --- refpolicy-git-07122016-orig/policy/modules/system/authlogin.if 2016-08-14 21:24:48.953382119 +0200
> +++ refpolicy-git-07122016/policy/modules/system/authlogin.if 2016-12-07 22:46:36.779863443 +0100
> @@ -390,6 +390,8 @@ interface(`auth_domtrans_chk_passwd',`
>
> miscfiles_read_generic_certs($1)
>
> + userdom_read_user_certs($1)
> +
> optional_policy(`
> kerberos_read_keytab($1)
> ')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/system/authlogin.te refpolicy-git-07122016/policy/modules/system/authlogin.te
> --- refpolicy-git-07122016-orig/policy/modules/system/authlogin.te 2016-10-29 16:29:13.454156211 +0200
> +++ refpolicy-git-07122016/policy/modules/system/authlogin.te 2016-12-07 22:45:51.162104654 +0100
> @@ -296,6 +296,7 @@ miscfiles_read_generic_certs(pam_console
> seutil_read_file_contexts(pam_console_t)
>
> userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
> +userdom_read_user_certs(pam_console_t)
>
> ifdef(`distro_ubuntu',`
> optional_policy(`
> @@ -421,6 +422,7 @@ sysnet_dns_name_resolve(nsswitch_domain)
> tunable_policy(`authlogin_nsswitch_use_ldap',`
> miscfiles_read_generic_certs(nsswitch_domain)
> sysnet_use_ldap(nsswitch_domain)
> + userdom_read_user_certs(nsswitch_domain)
> ')
>
> optional_policy(`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/system/init.te refpolicy-git-07122016/policy/modules/system/init.te
> --- refpolicy-git-07122016-orig/policy/modules/system/init.te 2016-10-29 16:29:13.455156238 +0200
> +++ refpolicy-git-07122016/policy/modules/system/init.te 2016-12-07 22:44:43.652981734 +0100
> @@ -561,6 +561,7 @@ modutils_domtrans_insmod(initrc_t)
>
> seutil_read_config(initrc_t)
>
> +userdom_read_user_certs(initrc_t)
> userdom_read_user_home_content_files(initrc_t)
> # Allow access to the sysadm TTYs. Note that this will give access to the
> # TTYs to any process in the initrc_t domain. Therefore, daemons and such
> diff -pruN refpolicy-git-07122016-orig/policy/modules/system/udev.te refpolicy-git-07122016/policy/modules/system/udev.te
> --- refpolicy-git-07122016-orig/policy/modules/system/udev.te 2016-10-29 16:29:13.457156292 +0200
> +++ refpolicy-git-07122016/policy/modules/system/udev.te 2016-12-07 22:48:33.332802140 +0100
> @@ -185,6 +185,7 @@ ifdef(`distro_debian',`
> kernel_read_vm_sysctls(udev_t)
> corenet_udp_bind_generic_node(udev_t)
> miscfiles_read_generic_certs(udev_t)
> + userdom_read_user_certs(udev_t)
> avahi_create_pid_dirs(udev_t)
> avahi_initrc_domtrans(udev_t)
> avahi_manage_pid_files(udev_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Hello Christopher.
On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote:
> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote:
> >
> > Whenever a module uses the miscfiles_read_generic_certs() interface
> > to read system-wide SSL certificates, it should also be allowed to
> > read user certificates by using the new userdom_read_user_certs()
> > interface.
>
> I don't agree that a domain that has miscfiles_read_generic_certs()?
> should automatically be able to read user certs.
What is your concern about this ?
If it is not enabled, user certificates and revocations are not used,
if available.
Regards,
Guido
On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote:
> Hello Christopher.
>
> On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote:
>> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote:
>>>
>>> Whenever a module uses the miscfiles_read_generic_certs() interface
>>> to read system-wide SSL certificates, it should also be allowed to
>>> read user certificates by using the new userdom_read_user_certs()
>>> interface.
>>
>> I don't agree that a domain that has miscfiles_read_generic_certs()
>> should automatically be able to read user certs.
>
> What is your concern about this ?
>
> If it is not enabled, user certificates and revocations are not used,
> if available.
There are many domains in here that don't seem to directly involve a
local user (almost all, if not all daemons) or have a secondary domain
that does that access. As these certs are user data, I'd need
explanations why they need this access.
--
Chris PeBenito
On Sun, 11/12/2016 at 14.37 -0500, Chris PeBenito wrote:
> On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote:
> >
> > Hello Christopher.
> >
> > On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote:
> > >
> > > On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote:
> > > >
> > > >
> > > > Whenever a module uses the miscfiles_read_generic_certs()
> > > > interface
> > > > to read system-wide SSL certificates, it should also be allowed
> > > > to
> > > > read user certificates by using the new
> > > > userdom_read_user_certs()
> > > > interface.
> > >
> > > I don't agree that a domain that has
> > > miscfiles_read_generic_certs()
> > > should automatically be able to read user certs.
> >
> > What is your concern about this ?
> >
> > If it is not enabled, user certificates and revocations are not
> > used,
> > if available.
>
>
> There are many domains in here that don't seem to directly involve a?
> local user (almost all, if not all daemons) or have a secondary
> domain?
> that does that access.??As these certs are user data, I'd need?
> explanations why they need this access.
Even if some or most of them are daemons, so what ?
If they have an home directory and some real user that administrate it,
they can set up their own private certificates.
For example, to name one of them, apache can have its own private
certificate revocation list in addition to the one provided system-
wide. This is because a real user with administrative privileges over
the apache home directory has configured a .pki directory there.
What's wrong with this ?
Regards,
Guido
On Sun, 11/12/2016 at 14.37 -0500, Chris PeBenito wrote:
> On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote:
> >
> > Hello Christopher.
> >
> > On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote:
> > >
> > > On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote:
> > > >
> > > >
> > > > Whenever a module uses the miscfiles_read_generic_certs()
> > > > interface
> > > > to read system-wide SSL certificates, it should also be allowed
> > > > to
> > > > read user certificates by using the new
> > > > userdom_read_user_certs()
> > > > interface.
> > >
> > > I don't agree that a domain that has
> > > miscfiles_read_generic_certs()
> > > should automatically be able to read user certs.
> >
> > What is your concern about this ?
> >
> > If it is not enabled, user certificates and revocations are not
> > used,
> > if available.
>
>
> There are many domains in here that don't seem to directly involve a?
> local user (almost all, if not all daemons) or have a secondary
> domain?
> that does that access.??As these certs are user data, I'd need?
> explanations why they need this access.
Also consider the current situation: daemons such as Network Manager
are reading the whole user directory content just to access the user
certificates... This is a very bad situation, in my opinion.
Regards,
Guido
On 12/11/16 15:03, Guido Trentalancia via refpolicy wrote:
> On Sun, 11/12/2016 at 14.37 -0500, Chris PeBenito wrote:
>> On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote:
>>>
>>> Hello Christopher.
>>>
>>> On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote:
>>>>
>>>> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote:
>>>>>
>>>>>
>>>>> Whenever a module uses the miscfiles_read_generic_certs()
>>>>> interface
>>>>> to read system-wide SSL certificates, it should also be allowed
>>>>> to
>>>>> read user certificates by using the new
>>>>> userdom_read_user_certs()
>>>>> interface.
>>>>
>>>> I don't agree that a domain that has
>>>> miscfiles_read_generic_certs()
>>>> should automatically be able to read user certs.
>>>
>>> What is your concern about this ?
>>>
>>> If it is not enabled, user certificates and revocations are not
>>> used,
>>> if available.
>>
>>
>> There are many domains in here that don't seem to directly involve a
>> local user (almost all, if not all daemons) or have a secondary
>> domain
>> that does that access. As these certs are user data, I'd need
>> explanations why they need this access.
>
> Even if some or most of them are daemons, so what ?
Daemons that don't directly interact with the user have no basis for
looking in the user's home directory. For example, there are domains
like bind_t and avahi_t where the rule was added right next to existing
userdom_dontaudit_search_user_home_dirs().
I also want to make clear that I think some daemons may need this
access. I don't think that all need this access.
--
Chris PeBenito
Hello,
that's fine if you suggest to leave this out, but I suppose we should forbid NetworkManager read the whole user content!
What do you say? Shall I prepare a small patch for this?
Regards,
Guido
On the 14th of December 2016 00:13:51 CET, Chris PeBenito <[email protected]> wrote:
>On 12/11/16 15:03, Guido Trentalancia via refpolicy wrote:
>> On Sun, 11/12/2016 at 14.37 -0500, Chris PeBenito wrote:
>>> On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote:
>>>>
>>>> Hello Christopher.
>>>>
>>>> On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote:
>>>>>
>>>>> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote:
>>>>>>
>>>>>>
>>>>>> Whenever a module uses the miscfiles_read_generic_certs()
>>>>>> interface
>>>>>> to read system-wide SSL certificates, it should also be allowed
>>>>>> to
>>>>>> read user certificates by using the new
>>>>>> userdom_read_user_certs()
>>>>>> interface.
>>>>>
>>>>> I don't agree that a domain that has
>>>>> miscfiles_read_generic_certs()
>>>>> should automatically be able to read user certs.
>>>>
>>>> What is your concern about this ?
>>>>
>>>> If it is not enabled, user certificates and revocations are not
>>>> used,
>>>> if available.
>>>
>>>
>>> There are many domains in here that don't seem to directly involve a
>>> local user (almost all, if not all daemons) or have a secondary
>>> domain
>>> that does that access. As these certs are user data, I'd need
>>> explanations why they need this access.
>>
>> Even if some or most of them are daemons, so what ?
>
>Daemons that don't directly interact with the user have no basis for
>looking in the user's home directory. For example, there are domains
>like bind_t and avahi_t where the rule was added right next to existing
>
>userdom_dontaudit_search_user_home_dirs().
>
>I also want to make clear that I think some daemons may need this
>access. I don't think that all need this access.
On 12/13/16 18:19, Guido Trentalancia via refpolicy wrote:
> Hello,
>
> that's fine if you suggest to leave this out, but I suppose we should forbid NetworkManager read the whole user content!
>
> What do you say? Shall I prepare a small patch for this?
That's fine.
> On the 14th of December 2016 00:13:51 CET, Chris PeBenito <[email protected]> wrote:
>> On 12/11/16 15:03, Guido Trentalancia via refpolicy wrote:
>>> On Sun, 11/12/2016 at 14.37 -0500, Chris PeBenito wrote:
>>>> On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote:
>>>>>
>>>>> Hello Christopher.
>>>>>
>>>>> On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote:
>>>>>>
>>>>>> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote:
>>>>>>>
>>>>>>>
>>>>>>> Whenever a module uses the miscfiles_read_generic_certs()
>>>>>>> interface
>>>>>>> to read system-wide SSL certificates, it should also be allowed
>>>>>>> to
>>>>>>> read user certificates by using the new
>>>>>>> userdom_read_user_certs()
>>>>>>> interface.
>>>>>>
>>>>>> I don't agree that a domain that has
>>>>>> miscfiles_read_generic_certs()
>>>>>> should automatically be able to read user certs.
>>>>>
>>>>> What is your concern about this ?
>>>>>
>>>>> If it is not enabled, user certificates and revocations are not
>>>>> used,
>>>>> if available.
>>>>
>>>>
>>>> There are many domains in here that don't seem to directly involve a
>>>> local user (almost all, if not all daemons) or have a secondary
>>>> domain
>>>> that does that access. As these certs are user data, I'd need
>>>> explanations why they need this access.
>>>
>>> Even if some or most of them are daemons, so what ?
>>
>> Daemons that don't directly interact with the user have no basis for
>> looking in the user's home directory. For example, there are domains
>> like bind_t and avahi_t where the rule was added right next to existing
>>
>> userdom_dontaudit_search_user_home_dirs().
>>
>> I also want to make clear that I think some daemons may need this
>> access. I don't think that all need this access.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Let NetworkManager read user certificates (~/.pki), not user
content !
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/networkmanager.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/policy/modules/contrib/networkmanager.te 2016-12-14 02:24:56.229067294 +0100
+++ b/policy/modules/contrib/networkmanager.te 2016-12-14 23:50:47.184921529 +0100
@@ -176,7 +176,7 @@ sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)
# certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+userdom_read_user_certs(NetworkManager_t)
userdom_write_user_tmp_sockets(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
On 12/14/16 17:58, Guido Trentalancia via refpolicy wrote:
> Let NetworkManager read user certificates (~/.pki), not user
> content !
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/networkmanager.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/policy/modules/contrib/networkmanager.te 2016-12-14 02:24:56.229067294 +0100
> +++ b/policy/modules/contrib/networkmanager.te 2016-12-14 23:50:47.184921529 +0100
> @@ -176,7 +176,7 @@ sysnet_manage_config(NetworkManager_t)
> sysnet_etc_filetrans_config(NetworkManager_t)
>
> # certificates in user home directories (cert_home_t in ~/\.pki)
> -userdom_read_user_home_content_files(NetworkManager_t)
> +userdom_read_user_certs(NetworkManager_t)
>
> userdom_write_user_tmp_sockets(NetworkManager_t)
> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
Merged.
--
Chris PeBenito